Deprecate `chains` command

[lcarva]

The tkn chains command provides two subcommands, one to print the signature and one to print the payload, e.g.

🐚 tkn chain signature simple-build-run-zjzmk-image-build
{"level":"info","ts":1746107363.088566,"logger":"fallback","caller":"storage/storage.go:61","msg":"configured backends from config: [oci oci oci]"}
{"level":"info","ts":1746107363.088608,"logger":"fallback","caller":"storage/storage.go:100","msg":"successfully initialized backends: [oci]"}
[MEUCIQDIhVBQJ4ZkOv/DAbk5pSlMkGLuMfTlWutoEpBati++qwIgW9YxydQCAuAbNK9UrdG6bjqWhqrPWHSm9OKvjzKakps=]

🐚 tkn chain payload simple-build-run-zjzmk-image-build
{"level":"info","ts":1746107398.3294013,"logger":"fallback","caller":"storage/storage.go:61","msg":"configured backends from config: [oci oci oci]"}
{"level":"info","ts":1746107398.3294427,"logger":"fallback","caller":"storage/storage.go:100","msg":"successfully initialized backends: [oci]"}
{"_type":"https://in-toto.io/Statement/v0.1","subject":[{"name":"quay.io/lucarval/min","digest":{"sha256":"579f2c8575c5dcf1415100f6c1dc4483b3f90a0c7fa0085b87c04fe4d808aa71"}}],"predicateType":"https://slsa.dev/provenance/v0.2","predicate":{"buildConfig":{"tasks":[{"finishedOn":"2025-05-01T13:46:52Z","invocation":{"configSource":{},"environment":{"annotations":{"pipeline.tekton.dev/affinity-assistant":"aff ...

There are some short-comings and issues with this command:

1. The user must have access to the in-cluster Chains config. A regular user is unlikely to have this level of access.
2. There is usually a better way of retrieving such information, e.g. cosign for OCI storage, or whatever client the storage backend supports.
3. Command doesn't support PipelineRuns, only TaskRuns. Support could be added, of course.
4. When implementing support for a new backend in Chains, we must also add corresponding Retrieve* functions. These are not always straightforward for different storage backends. They serve no purpose other than fulfill this CLI use case.

Given the above, I believe we should deprecate the tkn chains CLI command and remove it completely once the required deprecation period has passed. (If we proceed here, we should also close #1547)

cc @wlynch, @chitrangpatel, @PuneetPunamiya

[pratap0007]

Hi @lcarva , If I understand correctly, we are looking to deprecate only the payload and signature subcommands of chain, not the chain command itself.

[lcarva]

@pratap0007, I think if we remove payload and signature, we should also remove chains. Otherwise, it will just be an empty command:

$ tkn chains --help
Manage Chains

Usage:
tkn chain [flags]
tkn chain [command]


Aliases:
  chain, chains

Available Commands:
  payload     Print Tekton Chains' payload for a specific taskrun
  signature   Print Tekton Chains' signature for a specific taskrun

[pratap0007]

Thank you for clarifying it.